Configure OCSP Stapling on Apache

Posted August 23, 2016 10.5k views

I’m trying to enable OCSP Stapling on my 000-default.conf file in Apache/2.4.7 (see support article) - when performing sudo apache2ctl configtest && sudo service apache2 restartcommand I get a syntax error.

I’m using SSLUseStapling on in my code.

  • Can you share the content of your 000-default.conf file and the details of the syntax error that was displayed. With that information it’ll be much easier to help you identify the issue.

  • 000-default.conf

    <VirtualHost *:80>
            Redirect permanent /
    <VirtualHost *:443>
            ServerAdmin webmaster@localhost
            DocumentRoot /var/www/html
            Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains;"
            SSLEngine on
            SSLProtocol All -SSLv2 -SSLv3
            SSLHonorCipherOrder On
            Header always set X-Frame-Options DENY
            Header always set X-Content-Type-Options nosniff
            SSLCertificateFile /root/ssl/
            SSLCertificateKeyFile /root/
            SSLCACertificateFile /root/ssl/intermediate.crt
            SSLUseStapling on
            <Directory /var/www/html/>
                Options Indexes FollowSymLinks
                AllowOverride All
                Require all granted
            ErrorLog ${APACHE_LOG_DIR}/error.log
            CustomLog ${APACHE_LOG_DIR}/access.log combined

    Error messages:

    Action 'start' failed. The Apache error log may have more information.

    A few errors that I picked up on the Apache error log/var/log/apache2/access.log:

    [Tue Aug 23 10:58:31.630380 2016] [ssl:emerg] [pid 12152] AH01958: SSLStapling: no stapling cache available
    [Tue Aug 23 10:58:31.630447 2016] [ssl:emerg] [pid 12152] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
1 answer

Turns out I just needed to specify the following SSLStaplingCache "shmcb:logs/stapling-cache(150000)"